I am having difficulty understand the "additional authenticated data" (AAD) of the GCM implementation. (a) What does the AAD consist of? (b) where should the AAD be stored? (c) Is it detrimental to the operation of the cipher if I leave the AAD blank?

// Authenticated data becomes part of the authentication tag that is generated during
// encryption, however it is not part of the ciphertext. That is, when decrypting the
// ciphertext the authenticated data will not be produced. However, if the
// authenticated data does not match at encryption and decryption time, the
// authentication tag will not validate.
aes.AuthenticatedData = Encoding.UTF8.GetBytes("Additional authenticated data");

I also do not understand how I am supposed to utilize the "tag" property. (a) Do I need to store the tag once it is created? (b) is the data authentication portion of GCM automatically implemented?

tag = encryptor.GetTag();

I'm not certain how to retrieve the IV (nonce) from the encrypted data. The code I am referencing simply makes this call:

aes.IV = GetNonce();

(a) Is this implicitly removing the first 12 bytes from the encrypted data?

If someone is actually able to answer these questions I'd be completely surprised, but its worth a shot. Thanks

1 Answer
1

Well, I'm unfamiliar with this specific C# library, and so I can't answer questions about its API. I could guess, but I suspect you want something better than that.

However, I can answer generic GCM questions.

1a. What does the AAD consist of?

Well, AAD is another service that GCM provides. When encrypting messages, it is actually quite common to want to bind some context to the encrypted message; specifically so that message cannot be decrypted in a different context. What GCM does is stir in the AAD along with the ciphertext data when generating the tag; if the decryptor doesn't have this same AAD when he decrypts, he will compute a different tag, and so the decryption attempt will fail. Hence, this plaintext AAD is bound to the ciphertext; you need both to decrypt.

Here's one example of where you might use this: in a TLS record, you have a record type that is not encrypted, followed by encrypted data. One of the things you might want to make sure is that an attacker cannot extract an encrypted data, and reinject it with a different record type. In this case, you can include the record type in with the AAD; then, if the attacker does reuse the ciphertext with a different record type, the decryption will fail, and the record that the attacker modified will be rejected.

1b. Where should the AAD be stored?

That depends on what you're using it for. You might be authenticating unencrypted data that is included with the encrypted message (as in the TLS example); in that case, the decryptor would just extract it from the message. You might be authenticating some state that is shared between the encryptor and the decryptor; in that case, the decryptor would extract it from his database. You might be doing a combination of both; in this case, we'd extract parts of the AAD from different places.

1c. Is it detrimental to the operation of the cipher if I leave the AAD blank?

Not at all. AAD is a service that GCM provides for you; if you don't need that specific capability, you can just leave it blank.